Salesforce.com hit by phishers

Salesforce.com, a CRM software vendor, has fallen victim to a phishing scheme.

The company informed customers about it in a letter sent out earlier this week. In the letter, Salesforce.com emphasized that a security breach was not to blame for the rise in phishing e-mails directed at customers. Rather, the company said, a Salesforce.com employee had received a phishing e-mail and unwittingly revealed a password.

The e-mail that duped the employee also copied a customer contact list. The list included customers' names, company names, e-mail addresses, telephone numbers and other data. Some Salesforce.com customers have since received phishing e-mails resembling Salesforce.com invoices, and a percentage of these customers ended up giving out their passwords.

In its letter, the company admitted that phishing e-mails directed at Salesforce.com customers had been rising for the past few months. Most recently, a new wave of bogus e-mails reached a larger group of customers than were originally affected. These latest e-mails included malware attachments capable of installing viruses and key loggers on customers' computers.

Salesforce.com support and security teams have been working with affected customers to enhance their security. The company has also contacted law enforcement and industry experts in an effort to track the culprits and tighten company security.

Part of the Salesforce.com response to the phishers is new, more intense security education, coupled with tighter access policies within the Salesforce.com site. The company will be hosting an educational Webinar on security Thursday, November 8.

Headquartered in San Francisco, Salesforce.com has nearly 1 million subscribers to its on-demand CRM software.